Computer-security researchers have estimated that up to 50% of computer-security threats have some form of dependent or shared-object-based component. These threats typically “inject” malicious dependent software components (such as DLLs) into otherwise legitimate processes. The malicious code contained within the injected component may then perform malicious actions under the cover of an otherwise legitimate process.
For example, a malware developer may register a malicious DLL (by, for example, tricking a user into running a malicious executable file or by exploiting a buffer overflow in a legitimate application) for loading by a trusted application, such as MICROSOFT WORD for WINDOWS. In this example, when MICROSOFT WORD loads, the malicious DLL will also load and launch, potentially scheduling background threats that launch attacks directly from the process space associated with MICROSOFT WORD.
Since a trusted process may load a large number of dependent software components, and because the trustworthiness of a large majority of these components may be unknown (since, for example, such dependent software components may lack trust indicators, such as digital signatures), attempting to detect, track, and determine the trustworthiness of each of these components may severely impact system performance. Moreover, because malicious dependent software components may run under the cover of an otherwise legitimate process, it is sometimes difficult to eliminate malicious dependent software components without also harming their legitimate host processes.